Re: [TLS] HSM-friendly Key Computation
Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 24 April 2015 21:37 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A526B1A1B3F for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 14:37:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYT0E-aG_R2v for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 14:37:18 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB7291A1B12 for <tls@ietf.org>; Fri, 24 Apr 2015 14:37:17 -0700 (PDT)
Received: by lbbuc2 with SMTP id uc2so45817627lbb.2 for <tls@ietf.org>; Fri, 24 Apr 2015 14:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Vn6FosxI7R9Ldfc1E9uULgXSv6Ky4dO+UVUxqaLoh7g=; b=sJ3yxgTOyEuLDC4iywDYsoTmLtKzp9KePsmoLDib3nUqquLuA6SlIadJJ2/Iqs9FdY dZjysFIT+BwjpS7inzLRctnJTkg/rOn3UFf827kQlhwpM4+CEfiQoFsgKw4l5wasxuOD KR5Rs/M6SzSzPDdUrH2630WD2dF/uBUOXl87mKXFSjWAVuslEOb3oELqHGkDFOsoyI0p WzJE0TJRbV3XGqE7IXKJEIgJHhUkwZfpWC4hsvOa7gw/m/b64QpS+JnD4KgQGsU1RUxR o7BaAx7aVa5zwPFdwWM0FoEHsijcQHK5ssGyjPFj94FRJygVDidjHUpCAPITorVq6URw Bksw==
X-Received: by 10.152.88.1 with SMTP id bc1mr318556lab.79.1429911436428; Fri, 24 Apr 2015 14:37:16 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.66 with HTTP; Fri, 24 Apr 2015 14:36:45 -0700 (PDT)
In-Reply-To: <CABcZeBNx0AvTSXAEfr1pCt-+d_8nztuCZCmVgJ8UxoLtRsfZ1g@mail.gmail.com>
References: <0694C3DB-FB87-42A2-BCC4-CC0F761E9A03@vigilsec.com> <9A043F3CF02CD34C8E74AC1594475C73AB000B0C@uxcn10-tdc05.UoA.auckland.ac.nz> <5533F8D6.9070500@nthpermutation.com> <20150420064243.GA7322@LK-Perkele-VII> <CANeU+ZAL6oT6tP7OcL_8j6kp4oZB9V89R-0PrCdv-N27qVb0HQ@mail.gmail.com> <20150420163755.GA15511@LK-Perkele-VII> <5537D43A.9080802@REDHAT.COM> <20150422173526.GA14496@LK-Perkele-VII> <CABcZeBPN33DM_C0sAmCTFCTdNrcQ7y7eEBcZgPe+2f1EaxtXzA@mail.gmail.com> <55381302.5030307@nthpermutation.com> <CABcZeBN1W-KyNnPd9qU9dFP3dG8E=F1hOyK1NoeH-tsQT8XrFw@mail.gmail.com> <553925F7.5010704@nthpermutation.com> <CABcZeBNx0AvTSXAEfr1pCt-+d_8nztuCZCmVgJ8UxoLtRsfZ1g@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 24 Apr 2015 17:36:45 -0400
X-Google-Sender-Auth: RiHolBBPUaIekVypdLY3-Uq4ZkE
Message-ID: <CADi0yUPahzbqSNwu6t_1=CenK2P737A6c4Rmpa8Y_TG6J1iX+w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a11c3540c3a8c7305147f338e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/9td1-yIuWNxKt3TbOFzqu5i4Mvo>
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] HSM-friendly Key Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2015 21:37:20 -0000
On Thu, Apr 23, 2015 at 4:07 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Thu, Apr 23, 2015 at 1:03 PM, Michael StJohns <msj@nthpermutation.com> > wrote: > >> On 4/22/2015 7:03 PM, Eric Rescorla wrote: >> >> >> >> On Wed, Apr 22, 2015 at 5:30 PM, Michael StJohns <msj@nthpermutation.com> >> wrote: >> >>> On 4/22/2015 1:37 PM, Eric Rescorla wrote: >>> >>> If we're using HKDF-Extract, can we just key off different labels? >>> >>> -Ekr >>> >>> >> Sorry, read that as "HKD-Expand". >> >> Actually, use HKDF as the term with no expand or extract suffix. >> > > I discussed this extensively with Hugo and Hoeteck and their advice was to > use > them separately in a similar way to what's here (though they suggested a > slightly > different hierarchy which I have to edit in). Perhaps Hugo will weigh in > as to > the reasoning. > I've just addressed this issue in an email in the "confirming the room’s consensus: adopt HKDF PRF for TLS 1.3" thread (it's the first point in the list of issues in that email). Hugo > -Ekr > > >> Mike >> >> >> >> >> >> -Ekr >> >> >>> Basically, no. >>> >>> The Extract function is really not designed to be used standalone but as >>> a way of concentrating entropy for input to the expansion phase. Its >>> dangerous to talk of these functions as separately callable. They are >>> steps not separate functions. >>> >>> The extract step's only non-key input - salt - is not the same as the >>> "info" input used in the expand phase - 'salt' is supposed to be missing or >>> random, not a fixed string like a label. >>> >>> "info" is where the various labels go and that's only present in the >>> expand phase. >>> >>> >>> What you want to do is specify as part of the mixins (e.g. 'info' - e.g. >>> the collection of label and context) a set of fields that describe 1) how >>> the key stream is going to be broken up (eg. lengths of the sub keys), 2) >>> what algorithms will use each of the parts of the key stream, and 3) >>> whether or not those parts are allowed to be exported/extracted. >>> >>> A software module will basically ignore these because - really - its all >>> the same memory although it should really make sure the key lengths and >>> types matc. An HSM will look at these and be able to make policy decisions >>> for protection of the segments (e.g. preventing export of material that was >>> created to be non-exportable). >>> >>> Having all of these in the mixins means that the key stream expansion >>> completely changes if ANY of these mixins change which in turn means that >>> the various ways you can use to extract truly secret key material (as >>> differentiated from exportable material) from an HSM using the currently >>> defined mechanism can be eliminated. (I can explain my reasoning if >>> necessary). >>> >>> >>> Mike >>> >>> >>> >>> >>> On Wed, Apr 22, 2015 at 1:35 PM, Ilari Liusvaara < >>> ilari.liusvaara@elisanet.fi> wrote: >>> >>>> On Wed, Apr 22, 2015 at 10:02:50AM -0700, Robert Relyea wrote: >>>> > On 04/20/2015 09:37 AM, Ilari Liusvaara wrote: >>>> > > >>>> > >There are other places in TLS that fundamentally need to >>>> (indirectly) derive >>>> > >public data out of secret key material. >>>> > That's not a a problem. The problem is using the same mechanism to >>>> derive >>>> > the public data that we use to derive the keys. >>>> > It's even OK to use the same secret key for both (from an HSM POV). >>>> > >>>> > What Michael is saying is that there are existing functions for both >>>> KDF >>>> > (secret material -> key) and Mac (secret material-> unique public >>>> data). >>>> > He's requesting that TLS not have it's own versions of these >>>> functions. >>>> >>>> So would using two different PRF functions, one for parts that don't >>>> downgrade and another for parts that do downgrade (e.g. IV derivation, >>>> unique / finished calculations, exporter calculations, etc..) solve the >>>> issue? >>>> >>>> (Of course, the two functions should be closely related, so not to >>>> annoy software implementations too much)... >>>> >>>> >>>> -Ilari >>>> >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>>> >>> >>> >>> >>> _______________________________________________ >>> TLS mailing listTLS@ietf.orghttps://www.ietf.org/mailman/listinfo/tls >>> >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>> >> >> > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] HSM-friendly Key Computation Russ Housley
- Re: [TLS] HSM-friendly Key Computation Eric Rescorla
- Re: [TLS] HSM-friendly Key Computation Martin Thomson
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Yoav Nir
- Re: [TLS] HSM-friendly Key Computation Brian Smith
- Re: [TLS] HSM-friendly Key Computation Eric Rescorla
- Re: [TLS] HSM-friendly Key Computation Peter Gutmann
- Re: [TLS] HSM-friendly Key Computation Benjamin Beurdouche
- Re: [TLS] HSM-friendly Key Computation Michael StJohns
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation StJohns, Michael
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Robert Relyea
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Eric Rescorla
- Re: [TLS] HSM-friendly Key Computation Michael StJohns
- Re: [TLS] HSM-friendly Key Computation Eric Rescorla
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Eric Rescorla
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Michael StJohns
- Re: [TLS] HSM-friendly Key Computation Michael StJohns
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Michael StJohns
- Re: [TLS] HSM-friendly Key Computation Eric Rescorla
- Re: [TLS] HSM-friendly Key Computation Eric Rescorla
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Joseph Salowey
- Re: [TLS] HSM-friendly Key Computation Watson Ladd
- Re: [TLS] HSM-friendly Key Computation Ilari Liusvaara
- Re: [TLS] HSM-friendly Key Computation Hugo Krawczyk